How to Tell If a Website Is Built With WordPress (and Find Its Theme & Plugins)
Seven reliable ways to confirm a site runs WordPress — then how to uncover the exact theme, plugins and version it uses, and when those signals are deliberately hidden.
Wondering whether a site runs WordPress? You can usually confirm it in seconds — and then go further to identify the exact theme and plugins behind it. WordPress is the obvious first guess for any unknown site: according to W3Techs, it powers roughly 43% of all websites and about 60% of every site whose CMS is known. Here are seven reliable signals, from fastest to most thorough.
This guide assumes you already know how to find out what a website is built with in general; here we focus specifically on WordPress.
Why it pays to identify WordPress
Knowing a site runs WordPress changes how you approach it. For agencies and freelancers, it signals exactly which skills a redesign or migration will need. For competitive research, it reveals whether a rival runs a page-builder stack (Elementor, Divi) or a hand-coded theme. For security and due diligence, WordPress's plugin surface is the most common entry point for vulnerabilities, so spotting an outdated plugin early genuinely matters. And for sales prospecting, every WordPress site is a qualified lead for hosting, themes, plugins or maintenance. Because the platform is so widespread, this single check often shapes the rest of your analysis.
1. Look for /wp-content/ and /wp-includes/ in the source
View the page source (Ctrl/Cmd + U) and search for wp-content or wp-includes. WordPress serves nearly all themes, plugins and uploaded media from /wp-content/, and core scripts from /wp-includes/. The presence of either is the single strongest front-end indicator that a site is WordPress.
2. Check the /wp-json/ REST API
Append /wp-json/ to the domain. WordPress exposes a REST API at this path by default, and a structured JSON response — typically naming the site and its routes — is firm confirmation. The endpoint /wp-json/wp/v2/ lists core content types and is hard to fake accidentally.
3. Read the generator meta tag
In the <head>, look for:
<meta name="generator" content="WordPress 6.7" />
This tag confirms WordPress and frequently includes the exact version. It is also emitted in the RSS feed (/feed/) generator field, which is a useful fallback when the HTML tag has been removed.
4. Probe the admin and login paths
WordPress installs an admin area at /wp-admin/ and a login screen at /wp-login.php. A redirect to a recognisable WordPress login confirms the platform even when front-end markers are stripped. (Visiting these paths only loads pages the server already serves publicly — it is not an attempt to log in.)
5. Inspect the HTTP response headers and cookies
The server leaks WordPress tells that a theme can't easily remove. In your browser's Network tab, open the main document request and read the response headers:
Link: <https://example.com/wp-json/>; rel="https://api.w.org/"— emitted by WordPress core and one of the most reliable signals, because it advertises the REST API even after the generator tag has been deleted.X-Pingback: https://example.com/xmlrpc.php— the classic WordPress pingback endpoint.- Cookies named
wordpress_,wp-settings-andwordpress_logged_in_appear once you interact with a login or comment form.
How reliable is each signal?
| Signal | What it proves | Reliability |
|---|---|---|
/wp-content/ in the source | WordPress (themes/uploads) | Very high |
/wp-json/ REST API responds | WordPress core | Very high |
rel="https://api.w.org/" Link header | WordPress core | Very high |
X-Pingback / xmlrpc.php | WordPress | High |
/wp-admin/ redirect to login | WordPress | High |
| Generator meta tag | WordPress + version | Medium (often removed) |
How to find the active theme
The active theme is the most readable layer. WordPress loads the main stylesheet from:
/wp-content/themes/<theme-slug>/style.css
The <theme-slug> is the theme's folder name. Opening that style.css reveals a standard header block:
/*
Theme Name: Astra
Version: 4.6.2
Author: Brainstorm Force
*/
That header gives you the theme's name, version and author in one place. Page-builder frameworks such as Elementor, Divi and Astra are especially easy to spot this way because their asset paths are distinctive.
How to identify plugins
Plugins announce themselves through the assets they load. Scan the source and Network tab for URLs under:
/wp-content/plugins/<plugin-slug>/
Each <plugin-slug> names a plugin in use — for example woocommerce, elementor, wordpress-seo (Yoast) or contact-form-7. Some plugins also expose a readme.txt inside their folder that states the version. Bear in mind this detects only plugins that add front-end CSS or JavaScript; back-end-only plugins leave no public trace, so treat the result as a high-quality sample rather than a complete inventory.
WordPress's extensibility is the reason this matters: the official directory alone hosts over 60,000 free plugins, and the e-commerce plugin WooCommerce powers millions of online stores, making it the most widely used e-commerce solution on the web.
Spotting WooCommerce and other heavyweight plugins
Some plugins are distinctive enough to recognise instantly. WooCommerce adds woocommerce body classes, loads assets from /wp-content/plugins/woocommerce/ and fires AJAX "cart fragments" requests — a near-certain sign of a WordPress store. Elementor and Divi scatter their own class prefixes (elementor-, et_pb_) across the markup. Yoast SEO wraps its meta tags in a labelled HTML comment block. Cache plugins such as WP Rocket and LiteSpeed Cache leave a tell-tale "cached by" comment near the closing </html>. Each of these is a strong secondary confirmation layered on top of the core signals.
How to detect the WordPress version
The version number, when exposed, helps you judge how current — and how secure — a site is. Check three places: the <meta name="generator"> tag, the RSS feed (/feed/) generator field, and readme.html at the site root, which states the major version. Version query strings on core assets (for example ?ver=6.7) sometimes leak it too. Security-minded owners strip all of these, so a missing version is common — and is not, by itself, proof a site is hardened, only that the obvious tells were removed.
When the signals are hidden
A site can run WordPress while showing few of these tells:
- Headless WordPress serves its front end through a separate framework (commonly Next.js or Nuxt) and exposes content only through the API, so the public HTML has no
/wp-content/markers. - Full-page caching and CDNs serve static snapshots that may still contain asset paths but hide dynamic clues.
- Security plugins can rename the login URL, remove the generator tag and obscure version numbers.
In these cases, combine the REST API check, cookie names (WordPress sets recognisable wordpress_ and wp-settings- cookies for logged-in sessions) and asset fingerprints to reach a confident answer.
WordPress.com or self-hosted WordPress.org?
Confirming WordPress is one thing; knowing which kind is another, and it changes what you can infer about the owner's hosting and budget. Self-hosted WordPress.org is the open-source software running on the owner's own hosting, with full control over themes and plugins — by far the most common form. WordPress.com is the managed, hosted service operated by Automattic. The tells differ: WordPress.com sites often serve assets from *.wp.com and *.wordpress.com domains, load Jetpack-related scripts by default, and tend to resolve to Automattic's network in a hosting lookup. A self-hosted site, by contrast, points at an independent host and exposes the full /wp-content/plugins/ directory. Spotting the difference tells you whether you are looking at a hands-on owner or a managed-platform customer.
A note on false positives
A few non-WordPress builders deliberately echo WordPress URL patterns, and some static exports of old WordPress sites keep /wp-content/ paths long after the CMS itself is gone. Treat /wp-content/ plus a live /wp-json/ API as the gold standard — together they confirm an active WordPress install rather than just its leftovers.
How accurate is WordPress detection?
When the core signals are present, WordPress detection is about as certain as web fingerprinting gets — /wp-content/, a live /wp-json/ API and the api.w.org Link header together leave little room for doubt. Theme detection is similarly dependable because the stylesheet path is public. Plugin detection is the weakest layer: you reliably catch plugins that load front-end assets but miss purely server-side ones, so read the plugin list as a representative sample rather than a complete inventory. The professional habit is unchanged — confirm WordPress itself with at least two independent signals before relying on the result.
The fast, reliable workflow
- Search the source for
/wp-content/or/wp-includes/. - Open
/wp-json/to confirm the REST API. - Read the generator tag for the version.
- Find the theme in
/wp-content/themes/<slug>/style.css. - List plugins from
/wp-content/plugins/<slug>/asset URLs. - Cross-check at least two of the above before concluding.
A detector automates every step at once. As the StackOptic Research Team notes, "WordPress is the most fingerprint-rich platform on the web — the hard part isn't detecting it, it's separating the theme and plugins from the noise."
Go deeper
- New to stack detection? Start with how to find out what a website is built with.
- Want the infrastructure too? See how to find out where a website is hosted.
Want this in one click? Analyse any website with StackOptic to see its CMS, theme, plugins and full stack instantly — free.
Frequently asked questions
How can I tell if a website is built with WordPress for free?
Open the page source and search for '/wp-content/' or '/wp-includes/'. If either appears, the site is almost certainly WordPress. You can also visit /wp-json/ — a live REST API response confirms it — or run the URL through a free detector such as StackOptic, which checks all of these signals at once.
How do I find out which WordPress theme a website uses?
Look in the page source for a stylesheet at /wp-content/themes/<name>/style.css. The folder <name> is the theme slug, and opening that style.css reveals a header block listing the theme's name, author and version. Detection tools surface the active theme automatically.
Can you see what plugins a WordPress site has installed?
You can detect many of them. Plugins load CSS and JavaScript from /wp-content/plugins/<plugin>/, so those asset URLs in the page source name the plugins in use. Some plugins also expose a readme.txt with a version number. You cannot see plugins that add no front-end assets, so the list is a strong sample rather than a complete inventory.
Why does a WordPress site sometimes look like it isn't WordPress?
Headless WordPress serves its front end through a separate framework (such as Next.js), so the public HTML carries no /wp-content/ markers. Aggressive caching, asset bundling and security plugins that rename or hide paths can also mask the signals. In those cases the REST API, specific cookie names or subtle header tells are the giveaways.
Is it possible to detect the WordPress version a site runs?
Often, yes. The version can appear in the <meta name="generator"> tag, in the RSS feed generator field, or in readme.html at the site root. Many site owners remove these for security, so a missing version is common and is not itself proof the site is hardened.
Analyse any website with StackOptic
Get the full technology stack, performance, security and SEO report in seconds — free.
Analyse a websiteRelated articles
How to Tell If a Website Uses Heap
Heap (Heap Analytics) autocaptures product events. Detect it via the cdn.heapanalytics.com script, the global heap object, heapanalytics.com beacons and _hp2 cookies.
How to Tell If a Website Uses Foundation
Foundation (by Zurb) is a responsive front-end framework. Detect it via its grid classes (row/columns, grid-x/cell), data-* component attributes and the foundation.css/js files.
How to Tell If a Website Uses Crisp
Crisp is a developer-friendly, affordable live-chat and messaging tool. Detect it via the client.crisp.chat/l.js script, the window.$crisp object and the CRISP_WEBSITE_ID value.